Cybersecurity of the Week: USB worm against crypto wallets, Beats Studio Buds vulnerability, and a new wave of Android trojans

This week, the cyber threat landscape for digital asset holders has been expanded by several dangerous attack vectors. From self-propagating USB worms to sophisticated Android trojans, attackers continue to refine their tactics. I have analyzed the key events and am ready to share the details.
USB Worm: A New Way to Steal Cryptocurrencies via Hidden Windows Shortcuts
Particular attention should be paid to a campaign where malware uses physical media for self-propagation. The mechanism is triggered when a modified shortcut file (.LNK) on a USB drive is opened. Once activated, the worm contacts a command server in the .onion domain zone, downloading additional modules.
The key feature is that the malware scans the system for user documents, hides the originals, and replaces them with malicious shortcuts. Thus, every file access triggers a chain reaction. For self-replication to new USB drives, a scheduled task is created that monitors the connection of external media.
The stealer only enters its active phase when Task Manager is not running. It monitors the clipboard every half second, intercepting BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. When a copied address is detected, the program replaces it with the attacker's details, selecting visually similar characters. Additionally, it takes five screenshots every ten seconds. Activity has been recorded since February, and the main indicators of infection are behavioral: suspicious activity from wscript.exe, unexpected Curl launches, and connections to localhost:9050.
Android Trojan Rokarolla: Full Device Takeover
Researchers have identified a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. It spreads through fake websites disguised as installers for TikTok and Google Chrome. The first stage involves imitating the Google Play Protect system component, after which social engineering tricks the victim into granting access to Accessibility Services.
Once permission is obtained, the trojan disables the real Play Protect and downloads fake HTML authorization pages for each active app on a target list. When the user opens a legitimate crypto wallet, the malware overlays it with a fake window. A separate overlay mimics the Android lock screen to steal the PIN. To bypass 2FA, the trojan reads all SMS messages and can block incoming calls from bank anti-fraud systems. The main defense is vigilance when granting permissions to Accessibility Services.
Beats Studio Buds Vulnerability: Eavesdropping via Bluetooth
Apple has released a firmware update for Beats Studio Buds, fixing the vulnerability CVE-2025-20701. The flaw, related to incorrect authorization in the Bluetooth audio SDK, allowed attackers within Bluetooth range to connect to the headphones without the user's knowledge if the headset was unpaired and active in discovery mode. The exploit was activated via standard Bluetooth or BLE without authentication, providing nearly complete control over the device: from eavesdropping to intercepting trust relationships with previously paired smartphones.
Analyst's Opinion
This week shows a worrying trend: attackers are moving from simple phishing attacks to complex multi-stage schemes using physical media and full mobile device takeover. The USB worm operating through Tor is an evolution of threats that requires users to be vigilant not only digitally but also physically. I recommend limiting the use of third-party USB drives and regularly checking the activity of wscript.exe and cscript.exe processes.